Blocking phishing attempts with double domains

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Blocking phishing attempts with double domains

Tony Sullivan
I have been receiving a lot of phishing attempt e-mails lately that have a
"from" address like this:

valid.user@...@someotherdomain.hn

This appears to be an attempt to fool anyone who isn't paying close
attention into clicking one of the links in the message since it appears
to come from a valid user inside my domain.

I am wondering if there is anyway that I can stop messages with "from"
addresses like this.
Reply | Threaded
Open this post in threaded view
|

Re: Blocking phishing attempts with double domains

Wietse Venema
Tony Sullivan:

> I have been receiving a lot of phishing attempt e-mails lately that have a
> "from" address like this:
> [hidden email]
> <https://www.exquisiteimages.com:2096/cpsess1855114148/3rdparty/squirrelmail/src/compose.php?send_to=valid.user%40mydomain.comaccounting>@someotherdomain.hn
>
> This appears to be an attempt to fool anyone who isn't paying close
> attention into clicking one of the links in the message since it appears
> to come from a valid user inside my domain.
>
> I am wondering if there is anyway that I can stop messages with "from"
> addresses like this.

Aren't there spam filters for such things?

You could craft your own regular expression tables and use these in
check_sender_access and header_checks, but most people should not
have to do that.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Blocking phishing attempts with double domains

Matus UHLAR - fantomas
>Tony Sullivan:
>> I have been receiving a lot of phishing attempt e-mails lately that have a
>> "from" address like this:
>> [hidden email]
>> <https://www.exquisiteimages.com:2096/cpsess1855114148/3rdparty/squirrelmail/src/compose.php?send_to=valid.user%40mydomain.comaccounting>@someotherdomain.hn
>>
>> This appears to be an attempt to fool anyone who isn't paying close
>> attention into clicking one of the links in the message since it appears
>> to come from a valid user inside my domain.
>>
>> I am wondering if there is anyway that I can stop messages with "from"
>> addresses like this.

On 04.10.18 17:21, Wietse Venema wrote:
>Aren't there spam filters for such things?

yes - spam and virus filters.

>You could craft your own regular expression tables and use these in
>check_sender_access and header_checks, but most people should not
>have to do that.

agreed, and this question has been brought many times on spamassassin
mailing list, and the result is - not an easy thing to do.

(mostly thanks to companies who do that deliberately)

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease